PACTF 2018 round 2 - Write-ups

🔗Information

🔗Version

By Version Comment
noraj 1.0 Creation

🔗CTF

  • Name : PACTF 2018 round 2
  • Website : pactf.com
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

🔗10 - Redacted - Forensics

ANDOVER, MA— Phillips Academy Capture the Flag releases an institution-wide memorandum on the security of PDF documents. For privacy, parts of the memo are redacted.

View the memo: SECURE REDACTED MEMORANDUM.

Open the PDF and you can see redacted areas.

Let's convert it to text:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ pdf2txt.py SECURE_REDACTED_COPY.42ce971cad34.pdf 
PACTF

180 Main Street, Andover MA 01810
contact@pactf.com
pactf.com

MARCH 1ST, 2013

MEMORANDUM ON THE SECURITY OF PDF DOCUMENTS AND REDACTION

Over the past several years, there have been several instances in which a journalist, government
officer, or corporate executive has released an otherwise-secret document with redactions.
Unfortunately, these amateur redactors often do a poor job hiding the data they mean to redact,
and leave themselves vulnerable to even the most trivial exploits.

Indeed, few issues pose as real and present a threat as poorly redacted PDF documents. If you
wish to release a PDF document, be sure to release only an image of the file—that way, you won’t
be vulnerable to leaks.

The flag is `b3_car3ful_0r_y0ur_l3ak_m1ght_l3ak`.

AN OFFICIAL MEMORANDUM OF PACTF 2018

REDACTED COPY

🔗15 - Am I Pwned? - Crytpo

I was talking on IRC with a guy who tricked me into giving him a hash of my password and then said he could hack me! He said I might be “pwned”! I know the hashing algorithm is MD5; that’s still secure, right?

… Oh, you want to know whether my password is secure or not?

It doesn’t have any uppercase letters or numbers or punctuation, but isn’t six characters still a lot? what he meant by that one. Would you be able to hack my password? Here’s the hash:

eca065fba51916821eb7274c786c67d9

Just go to crackstation or hashkiller.

eca065fba51916821eb7274c786c67d9: md5('lmaoez')

🔗20 - It's In, If - Forensics

My older brother sent me this photo, but I don’t know what to make of it.

Look at metadata:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ exiftool itsinif.8f2056d643d8.jpg 
ExifTool Version Number : 10.80
File Name : itsinif.8f2056d643d8.jpg
Directory : .
File Size : 18 kB
File Modification Date/Time : 2018:04:15 03:58:32+02:00
File Access Date/Time : 2018:04:24 21:09:18+02:00
File Inode Change Date/Time : 2018:04:24 21:09:18+02:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 100
Y Resolution : 100
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : NO CODE EXECUTION ALLOWED HERE
Make : PACTF
Resolution Unit : inches
Y Cb Cr Positioning : Centered
GPS Latitude Ref : North
GPS Longitude Ref : West
XMP Toolkit : Image::ExifTool 10.40
Stitching Software : big_brother_is_looking_at_your_photos
Image Width : 198
Image Height : 199
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
GPS Latitude : 42 deg 38' 51.63" N
GPS Longitude : 71 deg 7' 51.82" W
GPS Position : 42 deg 38' 51.63" N, 71 deg 7' 51.82" W
Image Size : 198x199
Megapixels : 0.039

🔗35 - The Signal and the Noise - Misc

We can check if there are other chars than letters and spaces:

1
2
3
$ grep -i "[^a-z ]" haystack.ef77fe451087.txt > output

$ hte output

We can see there are some unicode spaces and invisible chars inside some words.

I wrote a quick ruby script to extract those words:

1
2
3
4
5
6
7
data = ''

File.open('haystack.ef77fe451087.txt', 'r:UTF-8') do |f|
data = f.read()
end

puts data.scan(/([a-z]+)[^[:ascii:]]([a-z]+)/).join

Run the script:

1
2
$ ruby noise.rb
theflagisinplainsight

Just submit the flag is in plain sight.

🔗45 - Truly Blue? - Stegano

I love lots of things about my school, Phillips Academy Andover. But most of all, I love its school color: a soothing shade of blue. I couldn’t just tell you the hex code for the color; that wouldn’t be enough! I think a 128 x 128 PNG file is probably a better method of conveying its utter beauty. That’s not suspicious, right? Gaze upon its beauty! True blue!

I used StegoVeritas to make a stegano LSB in order to extract the data.

After that we can read the following text:

1
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut eleifend, metus accumsan accumsanpharetra, dui justo lobortis augue, non bibendum sapien lacus a nulla. Praesent non libero et magnaornare interdum. Vivamus et mi et justo tincidunt porttitor placerat in nisl. Nam mollis quam sitamet iaculis volutpat. Nulla posuere pulvinar est, ac consectetur ex rhoncus non. Vivamus efficitur,ex vel lobortis faucibus, massa neque iaculis libero, eu dictum orci odio ut ante. Phasellus luctusmagna vel euismod cursus. Donec et est rhoncus, lacinia metus in, sodales lectus. Sed posuere, nibhvitae egestas rutrum, nisl odio iaculis urna, et bibendum dolor augue tristique lacus. Ut nuncmetus, blandit a nisl vitae, pulvinar fringilla justo. The flag is "last bitsmatter". Congratulations! You cracked the code!

PS: there is an error in the chall or I did something wrong, the flag is last bits matter and not last bitsmatter.

🔗60 - Wakanda problem is this? - Stegano

You’ve arrived at Wakanda’s border. Only the flag will allow you to enter. This is all you have.

Hint: Use the bytes in the second image.

Extract the trailing data of the image, it's a zip so decompress it. Then you find 2 images.

You clearly see that the second image is glitched.

Make an hexadecimal dump of each image in, order to be able to compare them:

1
2
3
4
5
6
7
8
9
$ xxd blackpanther1.jpg > black1.txt
$ xxd blackpanther2.jpg > black2.txt
$ diff black1.txt black2.txt
366,367c366,367
< 000016d0: d46d ab2b 42f9 3a3a bd5d 1854 50d3 416c .m.+B.::.].TP.Al
< 000016e0: 8ab5 ca7d 45d1 353e 9ceb ba9e 9fab 8daa ...}E.5>........
---
> 000016d0: 666c 6167 7b77 616b 616e 6461 3465 7661 flag{wakanda4eva
> 000016e0: 7db5 ca7d 45d1 353e 9ceb ba9e 9fab 8daa }..}E.5>........

Flag is wakanda4eva.

🔗45 - Zip Zap Zop - Misc

My friend gave me this file, but I have no idea what to do with it?

Hint: I tried to make this file really, really small.

Let's open the base64 zip in Firefox and save it:

data:application/zip;base64,eJyrmMN4nMHif8Ucxj0MziBqI4MfiFrGEAmiZjOkAKnVMw7fOBjwb38SX7Kus3CHVtIL1sCXPMYNV15Jtqvy5f4IrQ85dna/bvjDkPvOrZyB2enxsywSj7Wwt27X231bPzTf4tej2F+/A5b/exNW/K3od/rSUlV7ptPmYiJxIfvExe398+6lSWvPtj62+7vkUxXbvuk3X5SuehP18txKv5vB340N3my/vEO7+M6TCb9FTpdqS7ydlTt5jiQD6xy3r8aavvXx6wJ3HewIexrtH1OjtTNREAAud2V5

After trying to unzip it and failing it seems it's not a zip but some raw zlib:

1
2
3
4
5
6
7
8
9
10
11
$ unzip dfyxIN6e.zip 
Archive: dfyxIN6e.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of dfyxIN6e.zip or
dfyxIN6e.zip.zip, and cannot find dfyxIN6e.zip.ZIP, period.

$ file dfyxIN6e.zip
dfyxIN6e.zip: zlib compressed data

So I used zlib-flate to uncomrpess it but I saw the output was still a zlib archive but smaller, so I begin to pipe them.

The archive is very small so no need to script that, a very dirty oneline command can do that:

1
2
$ zlib-flate -uncompress < 5FZrGWXN.zip | zlib-flate -uncompress |  zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress
}qXflagqX!Gotza_Makes_1T_V_small_1340216081qs.

Flag is Gotza_Makes_1T_V_small_1340216081

🔗80 - AI - Misc

Our artificial intelligence engineer made a groundbreaking discovery, but left the company unexpectedly… all we have is the obfuscated source.txt…

Execute JS brainfuck:

"Congrats! You've uncovered the truth. Now go here: ibarakaiev.shpp.me/pactf_s7fj43/ai.zip"

Decompress the zip, look at assets/js/script.js.

1
2
// be careful when changing stupid to false or it can produce the key!!!
function launch_artificial_intelligence(stupid)

Let's do that:

1
launch_artificial_intelligence(false);

So we obtain this:

1
2
3
4
5
6
7
Hi. I exploited weaknesses of Facebook to access everybody's information... Actually I just asked Mark and he sold it. Oh well.

Turned out the most discussed topic was...

CATS

But that's not the key. The key is now stored securely in ("http://ibarakaiev.shpp.me/pactf_s7fj43/key_%d.txt", get_key_number(6, [16, 23, 16, 15, 42, 8])).

The get_key_number is not written but it's pretty easy to understand:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
// this function returns the number needed to access key_%d.txt
function get_key_number(n, arr) {
// TODO: implement solution to the following problem

/**
* You are given a sequence _s_ consisting of _N_ integers. You can divide it to
* two sequences _p_ and _q_ such that every element of your sequence belongs exactly
* to one of these sequences.
*
* Let _B_ be the sum of elements belonging to _p_, and _C_ be the sum of elements
* belonging to _C_. Note: if some of the sequences is empty then its sum is 0).
* What is the maximum possible value of _B_ - _C_
*/
}

The bigest number we can get is by putting all numbers in sequence _p_ and none in sequence _q_ so 42+16+23+16+8+15 - 0 = 120.

So we can request http://ibarakaiev.shpp.me/pactf_s7fj43/key_120.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
But you'll have to decrypt it first! The following text is displayed using byfes (it's like bytes but only 5 bits).

mrxwozAp

PACTFSCII is as follows (it's like ASCII but for PACTF). PACTF system only accepts ASCII characters, however.
0 - a
1 - b
2 - c
3 - d
4 - e
5 - f
6 - g
7 - h
8 - i
9 - j
10 - k
11 - l
12 - m
13 - n
14 - o
15 - p
16 - q
17 - r
18 - s
19 - t
20 - u
21 - v
22 - w
23 - x
24 - y
25 - z
26 - P
27 - A
28 - C
29 - T
30 - F
31 - \0

With the PACTFSCII table we get 12,17,23,22,14,25,27,15 from :mrxwozAp

Now let's convert decimal 12,17,23,22,14,25,27,15 into binary byfes: 01100,10001,10111,10110,01110,11001,11011,01111.

Now convert 5 bits byfes into true 8 bits bytes: 0110010001101111011001110110011101101111 so converting it to ASCII gives doggo.

🔗75 - Library of Babel - Misc

Is this what passes through fiber optic cables? Must be…

Note: We did only the first part of this challenge, the second part was too much guessing for us.

Extract all frames from the video with imagemagick:

1
2
3
4
5
6
7
8
$ convert video.f3db89aeb9f4.mp4 image.png

$ ls
image-0.png image-14.png image-19.png image-23.png image-28.png image-32.png image-37.png image-41.png image-46.png image-50.png image-55.png image-5.png image-64.png image-7.png
image-10.png image-15.png image-1.png image-24.png image-29.png image-33.png image-38.png image-42.png image-47.png image-51.png image-56.png image-60.png image-65.png image-8.png
image-11.png image-16.png image-20.png image-25.png image-2.png image-34.png image-39.png image-43.png image-48.png image-52.png image-57.png image-61.png image-66.png image-9.png
image-12.png image-17.png image-21.png image-26.png image-30.png image-35.png image-3.png image-44.png image-49.png image-53.png image-58.png image-62.png image-67.png video.f3db89aeb9f4.mp4
image-13.png image-18.png image-22.png image-27.png image-31.png image-36.png image-40.png image-45.png image-4.png image-54.png image-59.png image-63.png image-6.png

So I used zxing to decode all frames:

1
2
3
4
5
require 'zxing'

(1..67).each do |i|
puts ZXing.decode "files/image-#{i}.png"
end

One of the image gives this output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
=== YOUR ANSWER IS HERE ===
"eqvzb" w-3, s-5, v-25, p-248
22syz7u9dogitfxlezobhobeuno6pnec20n6bqfg22cqihe41hbbi8aut4t618oj4wee4to32mdfmmsykl76r002hfbsurum4rr6tprxi4yinrzlqee17y5sfw11k5ybxsie6icu2x6fxvbq2wskzjtmng31ejzfikwj9ql0nxutriwr6p6vqzpdl1thkgt0o4is7znam
9xub632v5mi39t8oae98kv5faatt11zitxmuka8qdrhbyw02i89fx9desufb6giwvgsvgrd18925zrgrqai31l92i6qplb9embayx8gmhqczl4gi9mb112plzs78w38hhbqmximi718hte6tw6b2m42xfwh3nnby2jemn0sz80hevqccfpyqd674swckdyaaptdp482x25uanhh5q8r0xqtokgwb8lbn41vl4mhhfvoeippvnl1t3ojshstgwumk48q8l3m937sou6b1838u7pie8da6gh8d8q5e09vazbdpsbtwyu35we0vu1r9cxfs
aeisivqa01nrols0xculnijghh4goztt2ymrt2h54hfbg8o5w03ai9ghobywjxxd8erazpyjisdnrehi3xvh6yz6gnynrsgbzek9uv2poyrdld0quk3cxj1cf8z2a4jbzucqcivwvkoh9uaecnlgqpzwy6bmraynt9rl7mbpob449swf3nf3010o0uvweo0ty0jqshf4xzvxtmuhq5uutoyijqrra4lehasyeokf0wrdhcysxj8xyt8uc6uywmya3i8ipx9g2dha1lax1l3vzorv99qkqugxixa17pi1xua3o7z5qehlvctz6cdgef2z
wleaaeyvlqn0m3hdczmgw26irn6bi0oy03k0it3hmekyxrrbmr73kokpitl1lpndke593dw5kdmp0ahjpcd191asr9ametpiks1a1rwnool8raisalbvwu0k04mjywmdwmcpn7m5nsrw505tgfv9k2708uc6syeur2f9zgqp9z35c6eu55bh4leal9ow95dpy77dtu6wu9cybq58bhdkthl0m85ekoeh8xvckpa7l6uz5vgyl0nbt3ole1hc4l4wtplgddtkulbds7egyp8nk2tf26t6kg7lunqwxm83b8m6mynhjdfxgnns8l3j2v2n
ku5z1auibmmc2x83013aqvor4teasklqkywhxdjjxrz2jbwwkqu6jed9gn83mxsg5ppzz9w0kschteeukmoic28wqq1pldsjlzmfptu3aod17o7gbeteenilm4pplg6yr0m0he7odgmq9pb17v9bekfllcbu8djj5e3e0uklethkcrmqr7q35avf1xpsvy5fod6ub2ra1awtoqbo26u2ydmkbotp4wuuwx3201so0gfhjs37bss3410780rqbke58loyad0xlldz4eunjezj769hm9jn1f6ne1lmrokw4l36v6w2tyf8z5f2mp2vqbht
kspnfeukopw3q3mnpk4gxsekj3wv2gl85yhu37og2qhu027fz1c4xq3jvc2q8szqi2b3rwdykfq50ii8nct0rh8apgpdin6w674khok0551tr6v1wrevoje3v823263in5atvkwn9gbcfjr3yy64ncyuo5q48rghc73uiak27e3od8ipzs2k2ojxl6a1exvdcyv3y2fu3j0wmnqbdxcwrvysyz43a1lhzm6t4mzkeciqg4j81w3q9i7vch81nc6c663r20iwek4cd3dk2qyizivbk3yfcrcsyy17p30jmwp2u1ogjpbw6ckjrzd5z8qa
b61vjq98hwhiua5qb8kvkp1datpqoxxh286k3mu6uhauv95nhajs5sf3j3f7xyvgz0d2omk4ro1umbqzjs5i4lyhns35sqm1u6sycfkeu2po70dgsoy5abl7csfvwjovz05pp338pnkx7dfvz952utwpiyxx261rolsm1eqc8mvmhw3e2o6adxdwdnjn1vxorfgm65rx20ztnc80nwmfcgbql87bz805xvb4lfq3lsnguvw4a13jqroa6xjhvnnb514qp9jgeytmduc95t5eqbuu3yqtps6bhn0nhsr2qmbtrjf609yx2n5a8k8hns6g
ox0tjq26wtn9arjsrige2is9e6v56fa62x3nynnnsbri6gbf3e2pituvua6i9z6kc4brf9f671e2zoa6t9f1ix1akwl5jp51tcadyswwot7g7125hct72h5hnctytcen6gc0qcsgl31xpb5bs5qw59v9wzu7eba6sr3trwstiioj7og6y2h69x3vy502ei1gnjchmfhl65jd02mhdinzzv55rl2w8u1uxoiofzt89lbqre1pq8kwyo28cg6296llkfpmlaak16httutriqn9bitfrh2p1vr6htuzjxiif4ss5m601kris67x04ni7g5e
b6dpdiqmwb6yx0mtaj8pccww27bom5lwnxpuow6kg7e7wag7w0pfp50349pm9qdr550a9wc0dbfr2v3ezmrvbdwjvu7tu59i8odas8i29rmimjj7h3ga5ox0d50n1vwaq06c5o5pm2emokprk3xi7x25af8nayygnwvynl3863vxo6w0qke1yywr2fk42xcecymirqzfxhl967hbw89v44pschg8bw0cod5fx0s7cmi3vihlelu0b0pmselqozqz2g23285gec4zqfq86b7ut3aqr8ofi1m1f2u193fxixirtco0hhstcla8rkhgcl04

tza5upm81efq4ymwewuzvru6qsavg1w50n0joic98sejzdo3kieunrzxm9wku7i4011z21mgfydsc4h4vfhjf73tnv3obko3irds88mwyu5yr77qy1urkvnoet03nv6oso9s7gyn0fz0t9600niaa46cf9wmp7yaj84r8s1tp35im
=== YOUR ANSWER IS HERE ===
Share